RV042 Preshared key hidden

Hi everyone,
I'd like to know if its possible to hide the Preshared key in the router configuration.
By default, you can see it in clear text if you've access on the RV042.
Thanks for your feedback.
Regards,
hdam

Hello hdam,
As far as I know, when you're administering and accessing the router configuration and you're setting up VPN, there is no method (or a checkbox) to hide the preshared key away from plaintext.
If security is a concern, perhaps limit the available management access to the vpn router, so not too many users will know the preshared key.
-Andrew Lien

Similar Messages

  • SSID with preshared key + ISE

    Hi,
    We have recently implemented Wifi at out site. we have Cisco 3502 AP's, 2504-WLC and the latest cisco ISE. I understand that in ISE deployment, we cant have a preshared key (password or key) for the SSID as ISE will take over the authentication. is that right?
    Current scenario:
    1. Laptop with wifi enabled will select the SSID in the list. since we have disabled the broadcast, it will be shown as other network in the list.
    2. User will the other network and manually enter the SSID string.
    3. Once the SSID matches with the WLC, he/she will be redirected to ISE url where the he/she needs to enter the domain credentials
    4. After the credentials are validated, ISE (NAC) agent will be downloaded on the laptop.
    5. Posture will begin and check for the compliance.
    6. If the laptop is compliant, laptop will be allowed in the network else will be rejected.
    Here, i would like to have preshared authetiation for SSID in the first phase as my infosec team is very particular about that. How can i achieve that?

    Creating Native Supplicant Profiles
    Before You Begin
    •If you intend to use a TLS device protocol for remote device registration, be sure you set up at least one Simple Certificate Enrollment Protocol (SCEP) profile, as described in Simple Certificate Enrollment Protocol Profiles, page 8-31.
    •Be sure to open up TCP port 8909 and UDP port 8909 to enable Cisco NAC Agent, Cisco NAC Web Agent, and supplicant provisioning wizard installation. For more information on port usage, see the “Cisco ISE Appliance Ports Reference” appendix in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.
    Step 1Choose Policy > Policy Elements > Results > Client Provisioning > Resources.
    Step 2Choose Add > Native Supplicant Profile.
    Step 3Specify a Name for the agent profile.
    Step 4Enter an optional Description for the Native Supplicant Profile.
    Step 5Select an Operating System for this profile.
    Step 6Enable the appropriate options for Wired or Wireless Connection Type (or both) for this profile. If you enable the Wireless connection option, be sure to also specify the device SSID and the wireless Security type (either WPA2 Enterprise or WPA Enterprise).
    Step 7Choose the Allowed Protocol for the device profile.
    Step 8Enable or disable other
    Optional Settings as appropriate for this profile.
    You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user logs in, based on the profile that you associate with that user’s authorization requirements, Cisco ISE provides the necessary supplicant provisioning wizard needed to set up the user’s personal device to access the network.

  • Lms3.2 passwords & preshared key

    hello,
    i have added some ASA to my ciscoworks server.
    when i look at the config i see that preshared keys are removed and replaced by a star *
    i see something like
    tunnel-group cisco ipsec-attributes
    pre-shared-key *
    then i searched some directories for the the plain text config files and it does not contain the preshared keys....
    if i try to recover from a disaster with those "backup files" it's gonna be useless
    is there any tricks to include preshared keys and passwords to my config files
    thanks

    The devices themselves are putting these stars in the config (starting in 8.2).  The way RME archives the config is to do a "show runn" and extract the config from the output.  RME does not yet support the ability to do a copy runn tftp, which would allow the clear text passwords to be archived.    However, this undos the security one would get by performing the screen scraping over SSH.  Therefore, LMS only uses the "show runn" command to get the config.

  • DMVPN/preshared key configured and device stolen

    Hello,
    I have a question on DMVPN solutions where device is already configured with a preshared key and expected to be a part of a network once the device is fired up.
    Now what if this device (e.g. router) is stolen and plugged to the Internet? I believe it will establish a connection with a hub router because preshared keys, DMVPN config are matching and is there a solution to prevent this?
    I know it is a physical security question however I need to consider this rare scenario.
    Thanks,
    Deepak Ambotkar

    The solution for that problem is to use digital certificates which is a best-practice for DMVPN. For that you can also use an IOS-router as a CA-server.
    If you decide against certificates, the you can at least use PSK-encryption. That doesn't help against stolen devices, but helps against rouge spokes when someone can get the client-config.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Anyconnect and preshared keys

    Is it possible to use the anyconnect client and still use preshared keys?  I'm trying to remediate a PCI issue that requires removing IKEv1, and preshared key, and disabling aggressive mode.
    Will any of this break Anyconnect?  Your assistance in appreciated!

    Hi,
    It is completely possible, You can disable the aggressive mode from the ASA and it will not affect the AnyConnect beacuse it uses (TLS and DTLS protocols)which is completely different from the IPSec.
    Now you can disable the aggressive mode as follow:
    hostname(config)# crypto ikev1 am-disable
    If you have VPN clients IPSec, they will work with main mode if you use certificate authentication only, not using pre-shared keys.
    Please don't forget to rate and Mark as correct the helpful Post!
    David Castro,
    Regards,

  • Question on IKE preshared key for sun systems.

    Hi All
    I'm testing IPsec between a Sun system and a device(and Windows XP). The main mode negotiation failed in the third exchange when encryption is on. Responder side complains about the payload sent from the other side is malformed. I suspect the problem is related to the preshared key configuration. Sun system require a hexdecimal on preshared key and the resulting key length should be at least of what encryption algorithm require(from IP service manual:
    The encryption algorithm in this example (see Step 2) is DES, so the pre-shared key must be at least 64 bits. However, a longer key length is a good idea. For example,
    # ike.preshared on enigma, 192.168.66.1
    { localidtype IP
         localid 192.168.66.1
         remoteidtype IP
         remoteid 192.168.55.2
         # enigma and partym's shared key in hex (128 bits)
         key ac077cc699c17055848a3cf34377980a
    My question is that how should I configure the preshared key to match the one in Sun? like in windows system? I tried to use the exact same key on windows, but the authentication failed. If the problem is not from preshared key, any comments are welcome.
    Thanks a lot!

    To restore key from encoded data you have to use one of the KeySpec lasses in your case DESKeySpec. Then you can use KeyFactory (SecretKeyFactory in this case) class to regenerate key.
    SecretKeyFactory factory = SecretKeyFactory.getInstance("DES", "SunJCE");
    myDESkey = factory.generateSecret(keySpec);

  • Entered Wrong preshared key on WLAN

    Hi
    I entered the wrong preshared key on the WLAN and I can't change it. Tried to using the connection Manager but still says incorrect
    Can anyone help please?
    Thanks

    Menu - Tools - Settings - Connections - Access Points - Select the WLAN in question - Options - Edit - WLAN Security Settings
    Hope that helps
    Nokia History: 3110, 5110, 7110, 7110, 3510i, 6210, 6310i, 5210, 6100, 6610, 7250, 7250i, 6650, 6230, 6230i, 6260, N70, N70, 5300, N95, N95, E71, E72
    Android History: HTC Desire, SE Xperia Arc, HTC Sensation, Sensation XE, One X+, Google Nexus 5

  • PA30 - field "Bank Control Key" hidden for Brazil company code

    Dear friends,
    We are facing problem when we use PA30 to create a Personnel nr. for contry Brazil. We need to have the field Bank Control Key visible in the screen but only for other countries this is opened.
    Does anyone knows the way to setup PA30 to have the field Bank Control Key opened in the infotype Bank Data where we can enter a specific content to Brazil ?
    BR,
    Alessandro

    Hi,
    In this table T588M you can make change to the fields in your infotype.
    Hope it helps.
    Regards,
    Edoardo

  • Wifi Profiles with PreShared Key

    Hey everyone,
    I have a client with some pretty basic requirements that would like to see from SCCM/Intune.  One of those is the ability to deploy WPA2-PSK Wireless profiles to newly enrolled Intune devices (iOS, Android, and WP8).  They would like to deploy
    the PSK as part of this process so they don't have to hand out the key to everyone.  I see there isn't a way in the interface to configure a WPA profile with the PSK.  Does anyone know if this possible any other way?  
    If not I guess unless your not broadcasting your SSID, what would be the advantage of deploying a WPA-PSK WiFi profile versus the user just selecting the SSID and clicking connect themselves from whatever device they are on?  Maybe I am missing something?
    Thanks!

    Hi,
    No you are correct it is currently not possible.. The only benefit of deploying the WIFI profile is that the device will connect to it automatically but still you would have to enter the password.
    Regards,
    Jörgen
    -- My System Center blog ccmexec.com -- Twitter
    @ccmexec

  • Where is my network key hidden?

    I have a wireless network setup in my home. The router is a D-Link 802.11g router. I have WPA encryption enabled. The problem is that I have "misplaced" the manual in which I wrote down my network key. I am able to get on the network about 50% of the time on bootup. If I do not get on at the initial bootup, 2 or 3 reboots usually gets me on the network. Internet connect, diagnostics, etc DOES NOT show my network key anywhere in my keychain. I would like to display my key so that I can be sure that it is in the keychain and also so that I can put it in a secure file if I need it for any of the 6 other computers in the house. Where do I find the key in my MacBook Pro (it is obviously present somewhere as I eventually get on my network). Thanks.

    I thought keychain was just about PWs that were necessarily contained in the PC but I try to ignore Keychain. I think keeping PWs in my head is the safest. Even I can't access them sometimes.
    I did find however that a 62 character WPA passphrase was available to me in clear text. If your router/Access Point, has a button in the admin page to back up settings then do that. I then searched for that file and opened it using Textwrangler. You would probably find that the file created by the settings backup routine on the AP will not have a default app assigned to it. Dont ASSIGN Textwrangler. Open that app and then select the settings config bkp as the file to be opened by it.
    Textwrangler has a good search facility so look under 'passphrase' or whatever your connection device uses as a generic term for the passphrase. It will then find your long lost buddy with a neat line number reference.
    Textwrangler is free from Barebones it is a lot more than a word processor so be carefull what you do with the file in it. Do not edit it. Do not save it. That way the router/AP 'restore settings' routine can continue to use it. That is also why you should not set Textwrangler as its default app.
    Of course your router/AP may write it's bkp file in some strange format that only it can read. I doubt it.

  • N 97 mini invalid preshared WPA key

    Hi guys, I also suffer form this bug of invalid preshared WPA key.  The WLAN worked before, but stopped working one fine day.  Have tried most of the things in these forum which I could understand.  Also did a hard reset with thanks to U tube, but still with that invalid preshared key situation.  Laptop and another device works well on the same WLAN.  Is the  WPA preshared key same as the password for the WLAN connection.  If so have performed this step a dozen times.  No luck.    have been using a D link ADSL 502T and a D link wireless router.  Need assistance please.  Not much of a tech guy so be patient and verbose.

    Ultramark wrote:
    Thanks android for the reply.  Tried both.  When I had first entered it last year it was ascii.  But I did have both the keys and neither worked.
    Is it possible to reconfigure my wireless router after a hard reset and get things right??
    Ultramark
    Make sure you don't use special characters in your WPA psk. Turn off WPA2 only mode on your E97m.
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • VPN between RV042 and Cisco 2801

    HI
    Kindly help me out. I'm configuring a p2p vpn between a cisco 2801 with IOS 12.3 and a linksys RV042. I'm getting following error on Linksys and Cisco respectively.
    [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
    Dec 19 02:40:42 2011
         VPN Log
        Received informational payload, type NO_PROPOSAL_CHOSEN
    dst             src             state               conn-id     slot    status
    x.x.x.x       x.x.x.x   MM_NO_STATE          0        0       ACTIVE
    Below are my config:
    Linksys RV042:
    Keying Mode: IKE with Preshared Key
    Phase1 DH Group: Group2
    Phase1 Encryption: 3DES
    Phase1 Authentication: MD5
    Phase1 SA Life Time: 28800
    Perfect forward secrecy : enabled
    Phase2 DH Group: Group2
    Phase2 Encryption: 3DES
    Phase2 Authentication: MD5
    Phase2 SA Life Time: 28800
    Preshared Key: xxxxxx
    Cisco 2801:
    crypto isakmp policy 11
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key xxxxxx address xxxxxx
    no crypto isakmp ccm
    crypto ipsec transform-set STRONGER esp-3des esp-md5-hmac
    crypto map myvpn 10 ipsec-isakmp
    set peer xxxxxx
    set transform-set STRONGER
    set pfs group2
    match address 103
    interface FastEthernet0/0
    ip address 10.0.0.56 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    no ip route-cache
    duplex auto
    speed auto
    no mop enabled
    interface FastEthernet0/1
    ip address xxxx xxxx
    ip nat outside
    ip virtual-reassembly
    no ip route-cache
    duplex auto
    speed auto
    crypto map myvpn
    ip nat pool branch xxxxxx xxxxx netmask 255.255.255.240
    ip nat inside source route-map nonat pool branch overload
    access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 110 deny   ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 110 permit ip 10.0.0.0 0.0.0.255 any
    snmp-server community public RO
    route-map nonat permit 10
    match ip address 110
    Rgards
    SAM

    Hi,
    It looks like you are using the default hash for the crypto isakmp policy and that your connection is failing on the phase 1 negotiation.  The default hash on the crypto isakmp policy is sha.  On the 2801 try adding hash md5.
    crypto isakmp policy 11
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    Let me know if that helps.
    Thank you,
    Jason NIckle

  • Can you hide the crypto pre-shared key?

    Is there a way to hide the crypto pre-shared key in IOS? Following is an example of a config command where the key is not hidden:
    crypto isakmp key cisco123 address 10.0.110.1
    Thanks!

    all about encrypting preshared keys in IOS:
    http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad9.html

  • Can't get networkmanager working with openvpn (using static key)

    I'm trying to configure networkmanager to open up my VPN connection - using the static/preshared key method - but no dice.  (Although I'm able to connect just fine using openvpn from the command line)  Anyone been able to get this to work and/or have some suggestions?
    I've installed the packages networkmanager, networkmanager-openvpn, and nm-applet.  I run nm-applet, and configure the connection, but when I try to launch the connection, it fails.  Log file reads as follows:
    Oct 28 16:43:56 daroselin NetworkManager: <info> Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 19131
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state changed: 1
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state changed: 3
    Oct 28 16:43:56 daroselin nm-openvpn[19133]: OpenVPN 2.1_rc20 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 18 2009
    Oct 28 16:43:56 daroselin nm-openvpn[19133]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Oct 28 16:43:56 daroselin nm-openvpn[19133]: LZO compression initialized
    Oct 28 16:43:56 daroselin kernel: tun0: Disabled Privacy Extensions
    Oct 28 16:43:56 daroselin nm-openvpn[19133]: TUN/TAP device tun0 opened
    Oct 28 16:43:56 daroselin nm-openvpn[19133]: /sbin/ifconfig tun0 10.1.0.2 pointopoint 10.1.0.1 mtu 1500
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN connection 'DARSYS VPN' (Connect) reply received.
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin failed: 2
    Oct 28 16:43:56 daroselin nm-openvpn[19133]: /usr/libexec/nm-openvpn-service-openvpn-helper tun0 1500 1545 10.1.0.2 10.1.0.1 init
    Oct 28 16:43:56 daroselin nm-openvpn[19133]: Exiting
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin failed: 1
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state changed: 6
    Oct 28 16:43:56 daroselin NetworkManager: <info> VPN plugin state change reason: 0
    Oct 28 16:43:56 daroselin NetworkManager: <WARN> connection_state_changed(): Could not process the request because no VPN connection was active.
    Oct 28 16:43:56 daroselin NetworkManager: <info> Policy set 'Auto eth0' (eth0) as default for routing and DNS.
    Suspiciously, it never seems to try to open a connection to the gateway.  (Note that the gateway's IP address never appears in the log entries.)
    I've configured the connection in nm-applet as follows:
    Gateway:  <internet IP address of the gateway/server I'm trying to VPN into>
    Type:  Static Key
    Static Key:  <the static key file>
    Key direction:  none
    Remote IP address:  10.1.0.1
    Local IP address:  10.1.0.2
    When I launch openvpn from the command line, the conf file reads as follows:
    [darose@daroselin ca]$ cat /etc/openvpn/static-client.conf
    # Sample OpenVPN configuration file for
    # office using a pre-shared static key.
    # '#' or ';' may be used to delimit comments.
    # Use a dynamic tun device.
    # For Linux 2.2 or non-Linux OSes,
    # you may want to use an explicit
    # unit number such as "tun1".
    # OpenVPN also supports virtual
    # ethernet "tap" devices.
    dev tun
    remote <internet IP address of the gateway/server I'm trying to VPN into>
    # 10.1.0.1 is our local VPN endpoint (office).
    # 10.1.0.2 is our remote VPN endpoint (home).
    ifconfig 10.1.0.2 10.1.0.1
    # Our up script will establish routes
    # once the VPN is alive.
    ; up ./office.up
    #up ./client.up
    route 10.0.0.0 255.255.255.0 10.1.0.1
    # Our pre-shared static key
    secret static.key
    # OpenVPN 2.0 uses UDP port 1194 by default
    # (official port assignment by iana.org 11/04).
    # OpenVPN 1.x uses UDP port 5000 by default.
    # Each OpenVPN tunnel must use
    # a different port number.
    # lport or rport can be used
    # to denote different ports
    # for local and remote.
    ; port 1194
    # Downgrade UID and GID to
    # "nobody" after initialization
    # for extra security.
    #user nobody
    #group nobody
    # If you built OpenVPN with
    # LZO compression, uncomment
    # out the following line.
    comp-lzo
    # Send a UDP ping to remote once
    # every 15 seconds to keep
    # stateful firewall connection
    # alive. Uncomment this
    # out if you are using a stateful
    # firewall.
    ; ping 15
    # Uncomment this section for a more reliable detection when a system
    # loses its connection. For example, dial-ups or laptops that
    # travel to other locations.
    ; ping 15
    ping 10
    ; ping-restart 45
    ping-restart 120
    ;keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    # Verbosity level.
    # 0 -- quiet except for fatal errors.
    # 1 -- mostly quiet, but display non-fatal network errors.
    # 3 -- medium output, good for normal operation.
    # 9 -- verbose, good for troubleshooting
    verb 3
    #verb 9
    Anyone have any idea what the problem might be here?

    If anyone's curious, I opened an upstream bug about this:
    https://bugzilla.gnome.org/show_bug.cgi?id=606998

  • "Length is too big" IOException when using OpenSSL key/certs

    Using WLS 5.1, SP6, Solaris
    Hello one and all:
    I am trying to test WLS with SSL. I am using the OpenSSL package to act as my
    own CA and generate and sign my own server certs. I don't have any problem
    with this part.
    However, when I try to use my private key with WLS, I get this
    error upon startup:
    Java.io.IOException: Length is too big: takes 56 bytes
    at weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:133)
    at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:105)
    at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:107)
    at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:85)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:285)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:214)
    at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1180)
    at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
    at java.lang.reflect.Method.invoke(Native Method)
    at weblogic.Server.startServerDynamically(Server.java:99)
    at weblogic.Server.main(Server.java:65)
    at weblogic.NmsIpServer.main(NmsIpServer.java:13)
    Thu Mar 22 16:02:25 EET 2001:<E> <SSLListenThread> Security
    Configuration Problem with SSL server encryption Key
    (<path-to-key hidden for publication --scott>),
    java.io.IOException: Length is too big: takes 56 bytesI have read many messages on this group that indicate this same
    problem. Some of the suggestions included checking the formatting
    of the server key file for extra linefeeds, etc. I have done this.
    I even tried the OpenSSL "asn1-kludge" option. It didn't work
    either.
    So, I hope to hear from someone who has successfully used OpenSSL
    keys and certs with WLS.
    Thanks,
    --scott

    Hi.
    I had the same problem when i specified a cakey.pem file that was encrypted. For
    some reason, WLS doesnt seem to support a scheme where it prompts for a password
    to use for decryption of the private key. Try to decrypt the private key:
    openssl rsa -in cakey.pem -out ca_unsafe.pem and deploy this certificate instead,
    then it will work ;-)
    [email protected] (Scott Andrew Borton) wrote:
    Using WLS 5.1, SP6, Solaris
    Hello one and all:
    I am trying to test WLS with SSL. I am using the OpenSSL package to act
    as my
    own CA and generate and sign my own server certs. I don't have any problem
    with this part.
    However, when I try to use my private key with WLS, I get this
    error upon startup:
    Java.io.IOException: Length is too big: takes 56 bytes
    at weblogic.security.ASN1.ASN1Header.inputLength(ASN1Header.java:133)
    at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:105)
    at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:107)
    at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:85)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:285)
    at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:214)
    at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1180)
    at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
    at java.lang.reflect.Method.invoke(Native Method)
    at weblogic.Server.startServerDynamically(Server.java:99)
    at weblogic.Server.main(Server.java:65)
    at weblogic.NmsIpServer.main(NmsIpServer.java:13)
    Thu Mar 22 16:02:25 EET 2001:<E> <SSLListenThread> Security
    Configuration Problem with SSL server encryption Key
    (<path-to-key hidden for publication --scott>),
    java.io.IOException: Length is too big: takes 56 bytesI have read many messages on this group that indicate this same
    problem. Some of the suggestions included checking the formatting
    of the server key file for extra linefeeds, etc. I have done this.
    I even tried the OpenSSL "asn1-kludge" option. It didn't work
    either.
    So, I hope to hear from someone who has successfully used OpenSSL
    keys and certs with WLS.
    Thanks,
    --scott

Maybe you are looking for